/dev/urandom is supposed to be as solid as /dev/random, except acute paranoia: https://www.2uo.de/myths-about-urandom/ I played with Dieharder (evolution of the famous Diehard statistics tests) There was a known bug wth 500 & 501 generators (/dev/random and /dev/urandom): https://bugzilla.redhat.com/show_bug.cgi?id=803292 https://bugs.gentoo.org/677386 Once this bug is fixed, or by using a file filed with binary data (dieharder -g 201 ...) I still find weaknesses with urandom 1. I get at least one WEAK result nearly every time I run "dieharder -a -g 501" 2. These weaknesses do not appear with /dev/random 3. The tests which failed are not always the same. Failed tests I got so far: rgb_lagged_sum (7 times), rgb_bitdist (6), sts_serial (3), rgb_minimum_distance (2), rgb_permutations (2), diehard_crap, diehard_rank_32x32, rgb_kstest_test, sts_runs Am I doing something wrong or is there a true weakness in /dev/urandom? Example: $ dieharder -a -g 501 #=============================================================================# # dieharder version 3.31.1 Copyright 2003 Robert G. Brown # #=============================================================================# rng_name |rands/second| Seed | /dev/urandom| 1.79e+07 |1200973343| #=============================================================================# test_name |ntup| tsamples |psamples| p-value |Assessment #=============================================================================# diehard_birthdays| 0| 100| 100|0.46753772| PASSED diehard_operm5| 0| 1000000| 100|0.84242621| PASSED diehard_rank_32x32| 0| 40000| 100|0.22126282| PASSED [snip] sts_serial| 12| 100000| 100|0.59332179| PASSED sts_serial| 12| 100000| 100|0.99723352| WEAK <--- sts_serial| 13| 100000| 100|0.73984626| PASSED sts_serial| 13| 100000| 100|0.75394894| PASSED sts_serial| 14| 100000| 100|0.53569954| PASSED sts_serial| 14| 100000| 100|0.84443587| PASSED sts_serial| 15| 100000| 100|0.70062655| PASSED sts_serial| 15| 100000| 100|0.86398789| PASSED sts_serial| 16| 100000| 100|0.77044189| PASSED sts_serial| 16| 100000| 100|0.40665896| PASSED rgb_bitdist| 1| 100000| 100|0.23117788| PASSED rgb_bitdist| 2| 100000| 100|0.72830922| PASSED rgb_bitdist| 3| 100000| 100|0.96816091| PASSED rgb_bitdist| 4| 100000| 100|0.58267893| PASSED rgb_bitdist| 5| 100000| 100|0.42065873| PASSED rgb_bitdist| 6| 100000| 100|0.71015893| PASSED rgb_bitdist| 7| 100000| 100|0.99864266| WEAK <--- rgb_bitdist| 8| 100000| 100|0.59789616| PASSED [snip] $ _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Le mer. 15 mai 2019 à 06:24, Sidney Markowitz <sidney@sidney.com> a écrit : > One important point of the article is that a result of PASSED does not mean > that the RNG has passed a test, it means that it has with high probability not > failed; a result of FAILED means that it has with high probability failed; and > a result of WEAK indicates uncertainty in the results, not that the RNG is > close to passing or close to failing a test. WEAK is an indication that you > need to make the test stronger (e.g. with more p samples) until the > uncertainty is resolved one way or another. The article is a demonstration of > how to do that. So I should run the tests in "resolve ambiguity" mode, like this? dieharder -a -g 501 -k 2 -Y 1 man dieharder says: -k ks_flag - ks_flag 0 is fast but slightly sloppy for psamples > 4999 (default). 1 is MUCH slower but more accurate for larger numbers of psam‐ ples. 2 is slower still, but (we hope) accurate to machine precision for any number of psamples up to some as yet unknown numerical upper limit (it has been tested out to at least hundreds of thousands). 3 is kuiper ks, fast, quite inaccurate for small samples, depre‐ cated. -Y Xtrategy - the Xtrategy flag controls the new "test to failure" (T2F) modes. These flags and their modes act as follows: 0 - just run dieharder with the specified number of tsamples and psamples, do not dynamically modify a run based on results. This is the way it has always run, and is the default. 1 - "resolve ambiguity" (RA) mode. If a test returns "weak", this is an undesired result. What does that mean, after all? If you run a long test series, you will see occasional weak returns for a perfect generators because p is uniformly distrib‐ uted and will appear in any finite interval from time to time. Even if a test run returns more than one weak result, you cannot be certain that the generator is failing. RA mode adds psamples (usually in blocks of 100) until the test result ends up solidly not weak or proceeds to unambiguous failure. This is morally equivalent to running the test several times to see if a weak result is reproducible, but eliminates the bias of personal judgement in the process since the default failure threshold is very small and very unlikely to be reached by random chance even in many runs. This option should only be used with -k 2. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography

Using "dieharder -a -g 501 -k 2 -Y 1 -P 10000000" I still get WEAK results. I can hardly increase the -P parameter, as the memory use skyrockets. I got a FAIL once but was unable to reproduce ut. _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography